UCF STIG Viewer Logo

Samsung Android Work Environment must be configured to enable Certificate Revocation checking.


Overview

Finding ID Version Rule ID IA Controls Severity
V-231049 KNOX-11-022600 SV-231049r608683_rule Medium
Description
A Certificate Revocation List (CRL) allows a certificate issuer to revoke a certificate for any reason, including improperly issued certificates and compromise of the private keys. Checking the revocation status of the certificate mitigates the risk associated with using a compromised certificate. Online Certificate Status Protocol (OCSP) is a protocol for obtaining the revocation status of a certificate. It addresses problems associated with using CRLs. When OCSP is enabled, it is used prior to CRL checking. If OCSP could not obtain a decisive response about a certificate, it will then try to use CRL checking. The OCSP response server must be listed in the certificate information under Authority Info Access. This feature must be enabled for a Samsung Android device to be in the NIAP-certified CC Mode of operation. SFR ID: FMT_SMF_EXT.1.1 #47
STIG Date
Samsung Android 11 with Knox 3.x Legacy Security Technical Implementation Guide 2020-12-08

Details

Check Text ( C-33979r592761_chk )
Confirm if Method #1 or #2 is used at the Samsung device site and follow the appropriate procedure.

This validation procedure is performed on the management tool Administration Console only.

****

Validation Procedure for Method #1: CRL Checking

On the management tool, in the Work profile certificate section, verify that "Revocation check" is set to "enable for all apps".

If on the management tool "Revocation check" is not set to "enable for all apps", this is a finding.

****

Validation Procedure for Method #2: OCSP with CRL Fallback

On the management tool:
1. In the Work profile certificate section, verify that "Revocation check" is set to "enable for all apps".
2. In the Work profile restrictions section, verify that "OCSP check" is set to "enable for all apps".

If on the management tool "Revocation check" is not set to "enable for all apps" or if "OCSP check" is not set to "enable for all apps", this is a finding.
Fix Text (F-33952r592762_fix)
Configure Samsung Android Work Environment to enable Certificate Revocation checking by either of the following methods:

Method #1: CRL Checking

On the management tool, in the Work profile certificate section, set "Revocation check" to "enable for all apps".

****

Method #2: OCSP with CRL Fallback

On the management tool:
1. In the Work profile certificate section, set "Revocation check" to "enable for all apps".
2. In the Work profile restrictions section, set "OCSP check" to "enable for all apps".

****

Refer to the management tool documentation to determine how to configure Revocation and OCSP checking to "enable for all apps". Some may, for example, allow a wildcard string: "*".